RE: [LARTC] mangle
I mark everything on my internal interface. I have classes for incoming websurfing traffic which I use HTB to control the traffic. This is done on my internal NIC. I also have classes on my external interface which controls my outgoing traffic such as web (port 80) and smtp (port 25). This is done on my external NIC. Mike Fetherston -Original Message- From: Eddie [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 10:02 AM To: Mike Subject: RE: [LARTC] mangle So you put all rules on your internal interface? On Mon, 2003-12-08 at 16:43, Mike wrote: *This message was transferred with a trial version of CommuniGate(tm) Pro* In my case eth1 is my internal NIC. I'm giving certain groups of IP's certain amounts of bandwidth. If you're trying to give full bandwidth to ssh traffic, you could mark on destination port 22 and assign that mark to a flowid with full bandwidth. I believe you would still use the PREROUTING table to mark with. Why do you want to give SSH traffic full bandwidth? Mike Fetherston -Original Message- From: Eddie [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 9:53 AM To: Mike Subject: RE: [LARTC] mangle ok that is how I have,if eth1 is external,this will shape traffic for all the lan people,right. BUT what do I do to give me full bandwidth when I ssh remotely to work on the box.Will I use OUTPUT?? Thanks,it helped allot:-)realy On Mon, 2003-12-08 at 16:31, Mike wrote: *This message was transferred with a trial version of CommuniGate(tm) Pro* I've been using PREROUTING to mark packets and it's been working very well. iptables -t mangle -I PREROUTING -i eth1 -s $IP --j MARK --set-mark 3 and if you're using HTB, this command: tc filter add dev eth0 parent 1:0 protocol ip prio 2 handle 3 fw flowid 1:13 will act on those marked packets. It's the 'handle 3' which uses the --set-mark 3. Mike Fetherston -Original Message- From: Eddie [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 8:40 AM To: lartc Subject: [LARTC] mangle Hi all I have a linux gateway box,eth1 internet and eth0 lan Now I made my qdisk for eth1 but now I want to mark them with iptables. The thing it I dont now wht to use,-A FORWARD or PREROUTING? Please can someone help thanks eddie ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] mangle
On Monday, 08 December 2003, at 15:39:48 +0200, Eddie wrote: I have a linux gateway box,eth1 internet and eth0 lan Now I made my qdisk for eth1 but now I want to mark them with iptables. The thing it I dont now wht to use,-A FORWARD or PREROUTING? Check for the Kernel Packet Traveling Diagram at: http://www.docum.org/stef.coene/qos/kptd/ You will see very clearly the path of packets traversing your Linux box, and will be able to know the exact place where to mark traffic. Greetings. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.6.0-test10-mm1) ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] mangle
On Monday, 08 December 2003, at 15:39:48 +0200, Eddie wrote: I have a linux gateway box,eth1 internet and eth0 lan Now I made my qdisk for eth1 but now I want to mark them with iptables. The thing it I dont now wht to use,-A FORWARD or PREROUTING? Check for the Kernel Packet Traveling Diagram at: http://www.docum.org/stef.coene/qos/kptd/ Please note that this diagram is not valid for iptables. When using iptables, packets that are traversing the linux box (forwarded trafic) do not go thru the INPUT and OUTPUT chains. You'll find an iptable packet traversal diagram at : http://www.knowplace.org/netfilter/packet_traversal.gif Rgds, Ronnie. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] mangle
Whoa!! Back up the truck! : Check for the Kernel Packet Traveling Diagram at: : http://www.docum.org/stef.coene/qos/kptd/ : : Please note that this diagram is not valid for iptables. I think I disagree. : When using iptables, packets that are traversing the linux box : (forwarded trafic) do not go thru the INPUT and OUTPUT chains. The KPTD hosted on docum.org certainly does accurately reflect the traversal of iptables. Please send corrections if you find something wrong with the KPTD. This was a collective effort by Leonardo Balliache, Stef Coene, and some others on this very list. It doesn't depict the relationship between iptables and bridging, but that is a well-known exception to this diagram. : You'll find an iptable packet traversal diagram at : : http://www.knowplace.org/netfilter/packet_traversal.gif This is a fine picture, too, though, Ron. -Martin -- Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] mangle
On Monday, 08 December 2003, at 17:18:52 +0100, Ronnie Garcia wrote: Please note that this diagram is not valid for iptables. I think you did not interpret the diagram correctly. For iptables you will have to focus just on the BLUE boxes with the CAPITAL names, and forget about the lowercase ones, that are for ipchains. And each packet entering the box will follow just one path, and this path is determined after the routing stage: any packet going through the box (neither generated nor destined to it) will go the path on the right, though the FORWARD chain of iptables. From then on the travel is simple to follow. Hope it helps. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.6.0-test10-mm1) ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] mangle
On Monday, 08 December 2003, at 17:18:52 +0100, Ronnie Garcia wrote: Please note that this diagram is not valid for iptables. I think you did not interpret the diagram correctly. For iptables you will have to focus just on the BLUE boxes with the CAPITAL names, and forget about the lowercase ones, that are for ipchains. My bad, thats right. The diagram is a bit confusing like this, what about drawing two different diagrams, since ipchains and netfilter behave quite differently ? I can send diff's if needed =) Rgds, Ronnie. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/